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REMARKS/ARGUMENTS 

I. Status of the Claims 

As filed, the application included claims 1-65. This amendment amends claims 1, 

4, 15, 16, 21, 32, 33, 38, 41-43, 46, 47, 50, 55, 60 and 63. The applicants reserve the right to 
reintroduce the unamended claims in this or another application. Following entry of this 
amendment, therefore, claims 1-65 remain pending for examination. 

II. Claim Amendments 

Claim 1 has been amended to recite "relying on said first authentication system 

for authenticating said first user . . . ," and claims 15, 21, 32, 38, 46, 50 and 55 have been 
amended to add similar elements. A similar element can be found in original claim 26. Claims 
4, 16, 33, 41, 43 and 47 have been amended to provide consistency with the amended base 
claims from which each of those claims respectively depend. Claims 1, 15, 21, 32, 38, 46, 50 
and 55 also have been amended to recite "from a first user" to provide proper antecedent basis 
for the phrase "for authenticating said first user." 

Claims 60 and 63 each have been amended to remove the word "of," which was 
inadvertently included in the claim as filed. 

m. Claim Rejections under 35 U.S.C. $112 

The office action rejected claim 10 under § 1 12, ^ 1 because "the specification 

does not reasonable provide enablement for such an application NOT comprising APIs as part of 

the application software." This rejection is respectfully traversed. 

Claim 10 recites that "said authorization system is part of an access system that 

protects a plurality of resources and does not have an application program interface." While the 

specification certainly does support the use of APIs in some embodiments, the specification 

specifically describes other embodiments in which APIs are not needed. Merely by way of 

example, the application (p. 71, 11. 18-25) describe various embodiments, some of which employ 

API, and some of which do not necessarily need APIs: ""In another embodiment, the system of 

Figure 1 can accept input in XML format and provide output in XML format. Additionally, the 
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system will make use of XML remote procedure calls (RPC). ... In another embodiment, 
Access System services can be used by third party applications through an API." In describing 
the use of XML and/or RPCs for communication and/or interaction, the application describes at 
least two examples of how a system might protect a plurality of resources without an API 
(although it should also be noted as well that, in some embodiments, APIs could be used in 
addition to XML and/or RPC communications). 

Based at least on this disclosure, one skilled in the art would be able to practice 
"an authorization system [that] is part of an access system that protects a plurality of resources 
and does not have an application program interface," and the applicants respectfully request the 
retraction of the § 1 12, If 1 rejection of claim 10. 

IV. Claim Rejections under 35 U.S.C. §102 

All pending claims were rejected under § 102(b) as being anticipated by U.S. 

Patent No. 6,460,141 ("Olden"). The present application was filed June 21, 2001, and Olden 

issued October 1, 2002. Hence, the invention described in Olden was not patented more than 

one year before the filing date of the present application, and Olden therefore is not prior art 

under § 102(b). For at least this reason, the applicants respectfully traverse the rejections of 

claims 1-65 under § 102(b). 

Assuming, arguendo, that Olden does qualify as prior art under another provision 

of § 102, Olden still fails to teach or suggest each element of any pending claim, and for that 

additional reason, Olden fails to anticipate any pending claim. Merely by way of example, claim 

1, as amended, recites, inter alia, " relying on said first authentication system for authenticating 

said first user . . . ." Claim 1 also recites that "said authorization system is separate from said 

first authentication system." Independent claims 15, 21, 26, 32, 38, 46, 50 and 55 include similar 

elements. (For example, claims 38, 46 and 55 recite an access system that is programmed to 

perform a method including the step of " relying on said authentication system for authenticating 

said first user . . . Claim 38 also recites "a first authentication system external to said access 

system," and claims 46 and 55 include similar recitations.) Olden fails to teach or suggest at 

least these claim elements. 
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For instance, the office action equates the "authorization component" of Olden 

with the authorization system recited in claim 1 . The office action also equates the "entitlement 

server" of Olden with the authentication system recited in claim 1 . Assuming these 

characterizations of Olden are correct (a proposition the applicants do not concede), Olden does 

not teach that the authorization component of Olden's system relies on the entitlement server for 

authenticating users. In fact, Olden fails to teach or suggest that the authorization component 

relies on anything to authenticate users. To the contrary, Olden (c. 23, 11. 46-54) teaches: 

"In operation, when an authorization server 24 
[which is part of the authorization component 12 (see Fig. 1)] 
receives an authorization request from either an enabled Web 
server 20 or from an API client 22, the authorization server 
performs various steps for authorization, as shown in Fig. 28. In 
other to determine whether or not the user is valid, when an 
authorization server 24 receives an authentication request from 
either an enabled Web server 20 or from an API client 22, the 
authorization server performs various steps for validation , as 
shown in Fig. 29." 

(emphasis added). As can be seen from Figs. 28 and 29 of Olden, the authorization component 
(which includes the authorization server) performs both authentication procedures (including 
determining whether the user exists, whether the password is correct, etc;) and authorization 
services (including determining whether a URL is protected, whether the URL is valid, whether 
the user has entitlements to the URL, etc.). 

Thus, Olden not only fails to teach relying on a separate (or external, as some 
claims recite) authentication system for authenticating a user, Olden expressly teaches that a 
single authorization server performs both authentication and authorization services. Olden, 
therefore, fails to anticipate claim 1 . For at least similar reasons, Olden fails to anticipate 
independent claims 15, 21, 26, 32, 38, 47, 50, 55. 

Moreover, the use of a single system component (the authorization component) to 
provide both authentication and authorization services is a fundamental principle of Olden's 
operation. Olden thus cannot be modified (or combined with another reference) to read on the 
pending claims without altering this fundamental principle of operation, and Olden therefore 
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properly could not be used (either alone or in combination with other references) as the basis of a 
§ 103 rejection of claims 1, 15, 21, 26, 32, 38, 47, 50 or 55. Hence, these claims are allowable 
over Olden, and the applicants respectfully submit that the rejections of these claims should be 
withdrawn. 

Independent claim 60 is allowable for at least similar reasons. In addition, claim 
60 recites that "said access system provides for reliance on one or more external authentication 
systems, said configuration information provides an indication to said access system to rely on a 
first external authentication system for said first resource." Nothing in Olden teaches that 
configuration information might provide an indication to rely on an external authentication 
system for a particular resource. In fact, as noted above, Olden teaches that the authorization 
system performs authentication services, so Olden would have no need for reliance on any 
authentication system, either external or otherwise. Claim 60 thus is allowable for this additional 
reason. 

Similarly, claim 63 recites, inter alia, " providing for using one or more internal 
authentication systems," and "providing for reliance on one or more external authentication 
systems." Olden fails to teach or suggest these elements, and claim 63 is allowable for at least 
this additional reason. 

Dependent claims 2-14, 16-20, 22-26, 28-31, 33-37, 39-46, 48, 49, 51-54, 56-59, 
61, 62, 64 and 65 are allowable as depending from allowable base claim and as being directed to 
specific novel substitutes. Merely by way of example, claim 4 recites, inter alia, "determining 
that authentication for said first resource is to be performed by said first authentication system." 
The office action posits that the system of Olden inherently requires this element. As noted 
above, however, the system of Olden uses the authorization component, not a separate 
authentication system, to perform authentication. Hence, it would not be inherent in Olden's 
disclosure to determine that authentication is to be performed by a separate authentication 
system, since Olden's authorization component itself would provide authentication. 

As but another example, claim 8 recites that " said first authentication system is a 
default web server authentication system; said second authentication system is an authentication 
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plug-in; and said third authentication system is a third party authentication system." While the 
cited portions of Olden do mention web server plug-ins, nothing in Olden teaches that an 
authentication plug-in, a default web server authentication system or a third party authentication 
system might be used to perform authentication, let alone that all three might be used for 
different resources. 



For at least the above reasons, it is believed that all pending claims are allowable 



over Olden, and it is respectfully submitted that the § 102 rejections should be withdrawn. A 
notice of allowance at an early date would be appreciated. 



If the Examiner believes a telephone conference would expedite prosecution of 
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this application, please telephone the undersigned at 303-571-4000. 



Respectfully submitted, 
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